Tackling Unknown Threats at Scale

The problem of tackling Unknown Threats at Scale and the Gulf Between the Proof of Concept and the Real World are Not Unsolvable Problems...

Anyone who practices security for a living is well aware of the never-ending nature of security operations. We have a massive and evolving attack surface of users, applications, servers and infrastructure that must be kept up to date and patched. Security solutions themselves demand care and feeding with the latest updates. And even with the basics covered, we also have to be on the lookout for unknown threats and anomalies in our networks that can be an indicator of compromise.

This of course leads to a very asymmetrical battle between security teams and attackers. Security teams need to ensure all points are properly secured and the layers of defense are all in order, while the attacker only needs to find a single chink in the armor to order to succeed.

As a result, the problem of scale is one that is intertwined with enterprise security in most every facet. Specifically, the need to be consistent at scale. All end-users, all servers, all traffic must be in the umbrella of the security process. This task is quickly becoming a challenge for some of the newer and more sophisticated solutions dedicated to finding and stopping targeted malware and cyberthreats. Implementing a solution that can actively execute and test unknown files for malicious behaviors has shown the ability to uncover the custom and polymorphic malware that are used to initiate long-term, persistent attacks against an organization. However, applying this technology at scale, covering all traffic and all unknown files, can be another challenge entirely.

In a recent blog post, Mike Rothman of Securosis discussed just this problem:

“With the first generation of NBMD (network-based malware detection) technology catching an incremental 40-50% of malware at the perimeter was a win. But that is no longer good enough – we expect much better detection to justify further investment and yet another device on the perimeter. We see no end in sight for the exponential growth in traffic volume and quantity of malware samples. This imposes a significant scaling requirement on perimeter NBMD equipment – especially because we increasingly expect to deploy NBMD inline for reliable blocking of malicious files.”

There are some subtle but very important points there. The first is the implicit recognition that these new technologies must ultimately be deployed in-line in order to prevent threats, as opposed to simply detecting them. Given the costs associated with some of the newer malware detection technologies, security teams need them to be more than high-priced canaries that signal the presence of danger.

This means that when we talk about the scale of the problem, we need to be speaking the language of security that is patently in-line. In order to make the jump from proof-of-concept to production, we need to be talking in terms of the scale that we demand from our firewalls, IPS, or proxy solutions that all demand an obligate in-line deployment. This is not a trivial requirement, but it is one that is often overlooked in the excitement of evaluating the latest silver bullet.

Another important point that Mr. Rothman makes is simply preparing for the growth of traffic and malware in general. This too is a very underappreciated aspect of the problem of scaling cyberthreat solutions. Because we as security professionals are typically focused on the malware, we sometimes forget that our ability to scale is limited by the amount of benign files, not the malicious files. By definition when we look for targeted or polymorphic malware, we must analyze the unknown. This means anything that is not known prior to be good or bad must get analyzed. As a result, we must prepare for these new forms of analysis to be the standard, and not an exception. Again, there is often a gulf between the proof of concept and the real world.

While it may sound dire, the problem of tackling unknown threats at scale and the gulf between the proof of concept and the real world are not unsolvable problems. A variety of architectures exist that can meet these requirements and scale into the future. However, it’s important that these concepts become part of the criteria that we use to judge malware and cyberthreat solutions. If we don’t, we will simply relive the painful lessons learnt when a promising new solution fails to make the transition to production.

Wade Williamson is Director of Product Marketing at Vectra Networks. Prior to joining Vectra, he was a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.